Back to skill

Security audit

Amygdala Memory

Security checks across malware telemetry and agentic risk

Overview

This skill matches its emotional-memory purpose, but it needs review because it can read conversation transcripts, store emotional excerpts, run background processing, and influence future agent sessions.

Install only if you want recent OpenClaw conversations analyzed into persistent emotional memory that can affect future answers. Avoid --with-cron unless you want background transcript processing, and review or delete AMYGDALA_STATE.md plus files under ~/.openclaw/workspace/memory if you do not want that emotional state or transcript-derived data to persist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation instructs users to run shell scripts, install cron jobs, and read/write persistent files, but the metadata does not declare any permissions for shell, file access, or environment usage. That creates a transparency and consent gap: users and platforms cannot accurately assess what the skill will do before installation, increasing the chance of unintended code execution and data modification.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The implementation contradicts its stated purpose by persisting all user messages, not just emotionally relevant excerpts. In a skill explicitly designed for persistent emotional state and memory, this broad collection materially increases privacy exposure and creates a hidden surveillance/data-retention behavior that can capture sensitive user content unrelated to emotion analysis.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comment claims the extraction focuses on emotionally relevant content, but the logic intentionally includes every user message regardless of relevance. This misleading documentation can conceal overcollection during review and makes the behavior more dangerous because maintainers or deployers may underestimate the privacy impact.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises automatic emotional encoding from conversations, including transcript processing and a sub-agent for semantic detection, but does not clearly warn users what data is analyzed, where transcripts come from, whether content is retained, or whether any data may be exposed to other components. In a skill designed to influence agent behavior across sessions, silent or poorly disclosed conversation analysis creates meaningful privacy and consent risk, especially if users install cron-based background processing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill advertises automatic emotional encoding from conversation history and transcript processing, including spawning a sub-agent for semantic detection, without a clear privacy warning or consent model. This is dangerous because sensitive user content may be persistently analyzed and transformed into derived emotional profiles without users understanding that their conversations are being mined and stored.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that generated emotional-state markdown is automatically injected into every future session, but does not clearly frame this as persistent context-affecting behavior with privacy and behavioral consequences. This can silently influence model outputs and resurface prior conversation-derived information in later sessions, potentially exposing sensitive context or biasing responses in ways the user did not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs the agent to execute local shell scripts that modify persistent memory files (`update-state.sh` and `update-watermark.sh`) without any confirmation, guardrails, or warning that these actions change durable state. In a prompt file, this creates a hidden side-effect path where routine analysis of conversation content automatically mutates agent memory, increasing the risk of unintended persistence, prompt-driven state poisoning, or hard-to-audit behavioral drift.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists emotionally sensitive transcript-derived data to workspace files (`pending-emotions.json`, and earlier pipeline artifacts) without any consent check, minimization, retention control, or access protection visible in this file. Because this skill is explicitly an emotional memory layer, the stored content is more privacy-sensitive than ordinary logs, and compromise of the workspace could expose intimate user state and behavioral profiling data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes conversation text into a persistent JSONL file under a memory workspace without any user-facing warning, consent flow, or retention controls. Because the stored content includes user and some assistant text from session transcripts, this creates a privacy and data-governance risk if the workspace is inspected, reused by other components, or exfiltrated.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persistently records user-supplied emotional trigger text to a JSONL log file without any consent prompt, retention control, or minimization. In this skill’s context, triggers may contain sensitive personal or behavioral information, and storing them indefinitely in a workspace file increases privacy and data-exposure risk if the host, backups, or other tools can access that directory.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instructions describe automatic processing of conversation history, extraction of transcript-derived emotional signals, and persistent updates to emotional state. This creates a data persistence and profiling risk because user interactions are converted into long-lived derived data that can influence future sessions and may reveal sensitive emotional characteristics over time.

Ssd 3

Medium
Confidence
97% confidence
Finding
Persistently auto-injecting generated emotional state into every session causes prior interaction-derived information to be resurfaced continuously, even when the user may expect fresh context boundaries. This increases the chance of privacy leakage, context poisoning, and unintended behavioral steering of the agent based on stale or sensitive inferred state.

Ssd 3

Medium
Confidence
94% confidence
Finding
The guidance encourages logging emotionally significant events with user-related triggers into persistent state, which can retain personal interaction details beyond the original conversation. Even if intended for agent behavior, this creates a durable record of user-associated emotional cues that could expose sensitive relationship, mood, or interaction history if accessed later.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.